Activate a PED-Authenticated Partition

In this section, the Partition SO configures the partition to allow Activation (caching of the authentication credential). Once the Activation policy is set, credentials are cached the next time the Crypto Officer or Crypto User logs in. This allows the Crypto Officer or Crypto User to log in once using their PED key, and open and close subsequent sessions using only a challenge secret (password). The Partition SO can optionally allow Auto-Activation, which preserves the cached PED credentials in the event of a restart or a brief power outage (up to 2 hours). For more information, see Activation and Auto-activation on PED-Authenticated Partitions in the Administration Guide.

The Partition SO must set an initial challenge secret for the Crypto Officer, and the Crypto Officer must set one for the Crypto User. See the correct section below for your user role:

>Partition SO

>Crypto Officer

>Crypto User [Optional]

Partition SO

These instructions are for the Partition SO. They assume that:

>You are running LunaCM on a SafeNet Luna HSM Client host computer containing, or connected to, an HSM with an application partition.

>The partition has at least a Crypto Officer role initialized. If the Crypto User role is also initialized, activation will be enabled for both roles.

To enable activation of a PED-authenticated application partition:

1.Set the active slot to the desired application partition.

lunacm:>slot set -slot <slotnum>

2.Log in as the Partition Security Officer.

lunacm:>role login -name po

3.Set partition policy 22: Allow activation for the partition.

lunacm:>partition changepolicy -policy 22 -value 1

4.[Optional] Set partition policy 23: Allow auto-activation for the partition.

lunacm:>partition changepolicy -policy 23 -value 1

5.Create an initial challenge secret for the Crypto Officer.

In LunaCM, passwords and challenge secrets must be 7-255 characters in length. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks (") are problematic and should not be used in passwords.
Spaces are allowed; to specify a password that includes spaces using the -password option, enclose the password in double quotation marks.

lunacm:>role createchallenge -name co

6.Provide the initial challenge secret to the Crypto Officer by secure means. The CO will need to change the challenge secret before using the partition for any crypto operations.

7.Log out as Partition SO.

lunacm:>role logout

Once policy 22 is set, the black CO PED key credential will be cached the next time the CO logs in. From that point on, only the CO partition challenge secret is required to access the partition. The CO credential remains cached until the HSM loses power, or the role is explicitly deactivated using the command role deactivate. The credential is re-cached the next time the CO logs in.

NOTE The Partition SO can stop automatic caching of the CO and CU credentials at any time by disabling partition policy 22: Allow activation (setting its value to 0).

Crypto Officer

These instructions are for the Crypto Officer. Ensure that you have the initial challenge secret password provided by the Partition SO.

To activate the Crypto Officer role on an application partition:

1.Login to the partition as the Crypto Officer. When prompted, enter the initial challenge secret.

lunacm:>role login -name co

The Crypto Officer PED secret is cached, and the role is now activated.

2.If you have not already done so on a previous login, change the initial CO PED secret. By default, the PED secret provided by the Partition SO expires after the initial login. If HSM policy 21: Force user PIN change after set/reset is set to 0 (off), you can continue to use the PED secret provided.

lunacm:>role changepw -name co

3.Change the initial CO challenge secret. You must include the -oldpw option to indicate that you wish to change the challenge secret (referred to as the secondary credential), rather than the black PED key (primary credential).

lunacm:>role changepw -name co -oldpw <initial_challenge> -newpw <new_challenge>

4.[Optional] Create an initial challenge secret for the Crypto User.

lunacm:>role createchallenge -name cu

5.[Optional] Provide the initial challenge secret to the Crypto User by secure means. The CU will need to change the challenge secret before using the partition for any crypto operations.

6.Log out as Crypto Officer.

lunacm:>role logout

With activation in place, you can log in once and put your black CO PED key away in a safe place. The cached credentials will allow your application(s) to open and close sessions and perform their operations within those sessions.

Crypto User [Optional]

These instructions are for the Crypto User. Ensure that you have the initial challenge secret password provided by the Crypto Officer.

To activate the Crypto User role on an application partition:

1.Login to the partition as the Crypto User. When prompted, enter the initial challenge secret.

lunacm:>role login -name cu

2.Change the initial CU challenge secret. You must include the -oldpw option to indicate that you wish to change the challenge secret (referred to as the secondary credential), rather than the gray PED key (primary credential).

lunacm:>role changepw -name cu -oldpw <initial_challenge> -newpw <new_challenge>

With activation in place, you can log in once and put your gray CO PED key away in a safe place. The cached credentials will allow your application(s) to open and close sessions and perform their operations within those sessions.